Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
24-07-2022 20:00
Static task
static1
Behavioral task
behavioral1
Sample
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe
Resource
win7-20220715-en
General
-
Target
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe
-
Size
305KB
-
MD5
843485dbff12620fb58532fab189a3fe
-
SHA1
fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65
-
SHA256
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
-
SHA512
a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00
Malware Config
Extracted
formbook
3.8
hx227
lapizapps.com
heitoping.com
pthelperspositivev.win
gmxpic.com
valuecodeliving.com
kredit-hilfe-gesucht.com
totalwebservices.online
impressionscarpetcleaning.net
cqpsds.info
1q2fiveafter.men
campbellpropertiesuk.com
avalon.loans
bankcardssite.market
connqa.com
luludallas.com
acessoitaucard.net
ad-concier.com
blrsi.com
zecrypto.com
com-services-secure-id.info
umniy-dom.info
grande-pleasures.com
batsonmedia.com
altcointrend.com
of-the-family.business
plasmapentraining.com
karladith.com
akshaykumar.club
xiranshangwu.com
alkalmiruhabolt.com
rimc5zq0u.com
tecnologiabig.com
wealthexposandiego.com
faismoiuneoffre.com
javi.today
yhtzlc.com
svc.group
uptownbiscayne.net
princegeorgebcgiftbaskets.com
ciraexport.online
wreckingballuk.com
brick-machine-equipment.com
thebeachheights.com
bombshellfitnessandflavor.com
edifyfoundation.com
btcandres.com
equalscan9558.win
thebarecampaign.com
lyrthz.men
rothschild.science
laberdesque.com
walktofinancialfreedom.com
magna5global.cloud
tv17364.info
rongjinyin.com
dodino.rocks
casadoscelulares.com
largeformatwines.com
iversonrand.com
allyfayefit.com
insurance4vanhire.com
village-place.com
imjwsv.men
xlzitv.men
khamattqy.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2016-70-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/2016-71-0x000000000041B620-mapping.dmp formbook behavioral1/memory/2016-75-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/2016-83-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/560-87-0x00000000000D0000-0x00000000000FA000-memory.dmp formbook behavioral1/memory/560-91-0x00000000000D0000-0x00000000000FA000-memory.dmp formbook -
Executes dropped EXE 3 IoCs
Processes:
ncvmxzo.exencvmxzo.exencvmxzo.exepid process 616 ncvmxzo.exe 1120 ncvmxzo.exe 2016 ncvmxzo.exe -
Drops startup file 2 IoCs
Processes:
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 484 cmd.exe 484 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exewininit.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncvmxzoureascvnz = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ncvmxzoureascvnz.txt | cmd" reg.exe Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run wininit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HTLHUR5XGVH = "C:\\Program Files (x86)\\C_nd0hbm\\updatebx4h_ru.exe" wininit.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
ncvmxzo.exencvmxzo.exewininit.exedescription pid process target process PID 616 set thread context of 2016 616 ncvmxzo.exe ncvmxzo.exe PID 2016 set thread context of 1264 2016 ncvmxzo.exe Explorer.EXE PID 2016 set thread context of 1264 2016 ncvmxzo.exe Explorer.EXE PID 560 set thread context of 1264 560 wininit.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
wininit.exedescription ioc process File opened for modification C:\Program Files (x86)\C_nd0hbm\updatebx4h_ru.exe wininit.exe -
Processes:
wininit.exedescription ioc process Key created \Registry\User\S-1-5-21-3440072777-2118400376-1759599358-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wininit.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exencvmxzo.exencvmxzo.exewininit.exepid process 788 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe 788 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe 616 ncvmxzo.exe 616 ncvmxzo.exe 2016 ncvmxzo.exe 2016 ncvmxzo.exe 2016 ncvmxzo.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe 560 wininit.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
ncvmxzo.exewininit.exepid process 2016 ncvmxzo.exe 2016 ncvmxzo.exe 2016 ncvmxzo.exe 2016 ncvmxzo.exe 560 wininit.exe 560 wininit.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exencvmxzo.exencvmxzo.exewininit.exedescription pid process Token: SeDebugPrivilege 788 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe Token: SeDebugPrivilege 616 ncvmxzo.exe Token: SeDebugPrivilege 2016 ncvmxzo.exe Token: SeDebugPrivilege 560 wininit.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.execmd.exencvmxzo.execmd.exeExplorer.EXEwininit.exedescription pid process target process PID 788 wrote to memory of 484 788 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe cmd.exe PID 788 wrote to memory of 484 788 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe cmd.exe PID 788 wrote to memory of 484 788 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe cmd.exe PID 788 wrote to memory of 484 788 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe cmd.exe PID 484 wrote to memory of 616 484 cmd.exe ncvmxzo.exe PID 484 wrote to memory of 616 484 cmd.exe ncvmxzo.exe PID 484 wrote to memory of 616 484 cmd.exe ncvmxzo.exe PID 484 wrote to memory of 616 484 cmd.exe ncvmxzo.exe PID 616 wrote to memory of 2044 616 ncvmxzo.exe cmd.exe PID 616 wrote to memory of 2044 616 ncvmxzo.exe cmd.exe PID 616 wrote to memory of 2044 616 ncvmxzo.exe cmd.exe PID 616 wrote to memory of 2044 616 ncvmxzo.exe cmd.exe PID 2044 wrote to memory of 2040 2044 cmd.exe reg.exe PID 2044 wrote to memory of 2040 2044 cmd.exe reg.exe PID 2044 wrote to memory of 2040 2044 cmd.exe reg.exe PID 2044 wrote to memory of 2040 2044 cmd.exe reg.exe PID 616 wrote to memory of 1120 616 ncvmxzo.exe ncvmxzo.exe PID 616 wrote to memory of 1120 616 ncvmxzo.exe ncvmxzo.exe PID 616 wrote to memory of 1120 616 ncvmxzo.exe ncvmxzo.exe PID 616 wrote to memory of 1120 616 ncvmxzo.exe ncvmxzo.exe PID 616 wrote to memory of 2016 616 ncvmxzo.exe ncvmxzo.exe PID 616 wrote to memory of 2016 616 ncvmxzo.exe ncvmxzo.exe PID 616 wrote to memory of 2016 616 ncvmxzo.exe ncvmxzo.exe PID 616 wrote to memory of 2016 616 ncvmxzo.exe ncvmxzo.exe PID 616 wrote to memory of 2016 616 ncvmxzo.exe ncvmxzo.exe PID 616 wrote to memory of 2016 616 ncvmxzo.exe ncvmxzo.exe PID 616 wrote to memory of 2016 616 ncvmxzo.exe ncvmxzo.exe PID 1264 wrote to memory of 560 1264 Explorer.EXE wininit.exe PID 1264 wrote to memory of 560 1264 Explorer.EXE wininit.exe PID 1264 wrote to memory of 560 1264 Explorer.EXE wininit.exe PID 1264 wrote to memory of 560 1264 Explorer.EXE wininit.exe PID 560 wrote to memory of 632 560 wininit.exe cmd.exe PID 560 wrote to memory of 632 560 wininit.exe cmd.exe PID 560 wrote to memory of 632 560 wininit.exe cmd.exe PID 560 wrote to memory of 632 560 wininit.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe"C:\Users\Admin\AppData\Local\Temp\57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe"2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ncvmxzoureascvnz" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ncvmxzoureascvnz.txt" | cmd"6⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exeFilesize
305KB
MD5843485dbff12620fb58532fab189a3fe
SHA1fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65
SHA25657cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
SHA512a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exeFilesize
305KB
MD5843485dbff12620fb58532fab189a3fe
SHA1fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65
SHA25657cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
SHA512a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exeFilesize
305KB
MD5843485dbff12620fb58532fab189a3fe
SHA1fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65
SHA25657cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
SHA512a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exeFilesize
305KB
MD5843485dbff12620fb58532fab189a3fe
SHA1fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65
SHA25657cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
SHA512a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00
-
C:\Users\Admin\AppData\Roaming\N9-QS0A1\N9-logim.jpegFilesize
64KB
MD5cf4aabcaa83bc15453e388ff990c1f4c
SHA1c70fc9db61849a7145e389c544df8c26daee7ed8
SHA2560fcee152685649447e039e546dcf44e237d980c8374a1565691c6e32d207881f
SHA512c5aa103e92084f1aeb3cd594a54021562af4959c8a48e738c3cdfef059939f595a9231afa567386c2d4660e7329d808ae6a7fe53780caeedf3ee57cec5b5df58
-
C:\Users\Admin\AppData\Roaming\N9-QS0A1\N9-logri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\N9-QS0A1\N9-logrv.iniFilesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exeFilesize
305KB
MD5843485dbff12620fb58532fab189a3fe
SHA1fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65
SHA25657cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
SHA512a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exeFilesize
305KB
MD5843485dbff12620fb58532fab189a3fe
SHA1fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65
SHA25657cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
SHA512a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00
-
memory/484-56-0x0000000000000000-mapping.dmp
-
memory/560-86-0x0000000001F40000-0x0000000002243000-memory.dmpFilesize
3.0MB
-
memory/560-82-0x0000000000000000-mapping.dmp
-
memory/560-85-0x0000000000800000-0x000000000081A000-memory.dmpFilesize
104KB
-
memory/560-87-0x00000000000D0000-0x00000000000FA000-memory.dmpFilesize
168KB
-
memory/560-91-0x00000000000D0000-0x00000000000FA000-memory.dmpFilesize
168KB
-
memory/560-89-0x0000000000760000-0x00000000007F3000-memory.dmpFilesize
588KB
-
memory/616-60-0x0000000000000000-mapping.dmp
-
memory/616-72-0x0000000074B40000-0x00000000750EB000-memory.dmpFilesize
5.7MB
-
memory/616-88-0x0000000074B40000-0x00000000750EB000-memory.dmpFilesize
5.7MB
-
memory/632-84-0x0000000000000000-mapping.dmp
-
memory/788-54-0x0000000076601000-0x0000000076603000-memory.dmpFilesize
8KB
-
memory/788-63-0x0000000074B40000-0x00000000750EB000-memory.dmpFilesize
5.7MB
-
memory/788-55-0x0000000074B40000-0x00000000750EB000-memory.dmpFilesize
5.7MB
-
memory/1264-90-0x0000000006AB0000-0x0000000006B87000-memory.dmpFilesize
860KB
-
memory/1264-78-0x0000000004280000-0x000000000435E000-memory.dmpFilesize
888KB
-
memory/1264-92-0x0000000006AB0000-0x0000000006B87000-memory.dmpFilesize
860KB
-
memory/1264-81-0x0000000006940000-0x0000000006AA2000-memory.dmpFilesize
1.4MB
-
memory/2016-75-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2016-83-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2016-80-0x00000000003D0000-0x00000000003E4000-memory.dmpFilesize
80KB
-
memory/2016-77-0x0000000000290000-0x00000000002A4000-memory.dmpFilesize
80KB
-
memory/2016-76-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/2016-71-0x000000000041B620-mapping.dmp
-
memory/2016-70-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2016-68-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2016-67-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2040-65-0x0000000000000000-mapping.dmp
-
memory/2044-64-0x0000000000000000-mapping.dmp